| Details |
Yara rule |
1 |
|
rule Higasia_APT {
meta:
author = "Cyble"
description = "Detects Higasia Loader"
date = "2023-10-26"
os = "Windows"
scan_type = "file"
severity = 90
reference_sample = "d329431aa23dba73214d1c104d01d57653fc59989a915337d1f92e6c7b56ac13"
strings:
$a = "MECHREVO"
$b = "\\shellcode_runner.pdb"
$c = "shellcode_runner\\"
condition:
uint16(0) == 0x5a4d and all of them
} |
| Details |
Yara rule |
1 |
|
rule ExampleMalware {
meta:
author = "Your Name"
description = "Detects Example Malware"
date = "2024-10-04"
strings:
$a = "malicious_string"
$b = { 6A 40 68 00 00 00 00 6A 00 50 6A 00 51 6A 01 5E }
condition:
$a or $b
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule ATMitch {
meta:
description = "Yara Rule for ATMitch Dropper/Payload"
author = "ZLAB Yoroi - Cybaze"
last_updated = "2019-05-03"
tlp = "white"
category = "informational"
strings:
$str1 = { 4A 75 E6 8B C7 8B 4D FC }
$str2 = { EC 53 8D 4D DC 88 }
$str3 = "MSXFS.dll"
$str4 = "DISPENSE"
$str5 = "PinPad"
$str6 = "cash"
$str7 = { 40 59 41 50 41 58 49 40 5A }
$str8 = "WFMFreeBuffer"
condition:
pe.number_of_sections == 4 and pe.number_of_resources == 3 and $str1 and $str2 or $str3 and $str4 and $str5 and $str6 and $str7 and $str8
} |
| Details |
Yara rule |
1 |
|
import "elf"
rule Kinsing_Malware {
meta:
author = "Aluma Lavi, CyberArk"
date = "22-01-2021"
version = "1.0"
hash = "d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b"
description = "Kinsing/NSPPS malware"
strings:
$rc4_key = { 37 36 34 31 35 33 34 34 36 62 36 31 }
$firewire = "./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT"
$packa1 = "google/btree" ascii wide
$packa2 = "kardianos/osext" ascii wide
$packa3 = "kelseyhightower/envconfig" ascii wide
$packa4 = "markbates/pkger" ascii wide
$packa5 = "nu7hatch/gouuid" ascii wide
$packa6 = "paulbellamy/ratecounter" ascii wide
$packa7 = "peterbourgon/diskv" ascii wide
$func1 = "main.RC4" ascii wide
$func2 = "main.runTaskWithScan" ascii wide
$func3 = "main.backconnect" ascii wide
$func4 = "main.downloadAndExecute" ascii wide
$func5 = "main.startCmd" ascii wide
$func6 = "main.execTaskOut" ascii wide
$func7 = "main.minerRunningCheck" ascii wide
condition:
(uint16(0) == 0x457F and not (elf.sections[0].size + elf.sections[1].size + elf.sections[2].size + elf.sections[3].size + elf.sections[4].size + elf.sections[5].size + elf.sections[6].size + elf.sections[7].size > filesize)) and ($rc4_key or $firewire or all of ($packa*) or 4 of ($func*))
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule maggie_backdoor {
meta:
description = "Detect MSSQL extended stored procedure backdoor Maggie files"
author = "Johann Aydinbas, TEC / DCSO CyTec"
reference = " https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 "
strings:
$ = "Account Owner Not Found For The SID"
$ = "Call SO_UPDATE_ACCEPT_CONTEXT To Get IP"
$ = "Socks5 Stopped Failure"
$ = "It Has Been Hooked"
$ = "AllowedIP IP Port"
$ = "Wait 5 To 10 Seconds For TS Taking Effect"
$ = "\\Binn\\sqlservr.exe"
$ = "HostList UserList PassList"
$ = "opends60.dll"
$ = "WinSockScan"
$ = "ResetClientData"
$ = "ViewClientData"
$ = "ElevateTS"
condition:
pe.is_pe and 8 of them
} |
| Details |
Yara rule |
1 |
|
rule Tycoon_Phish_Landing_Page {
meta:
description = "Tycoon_Phish_Landing_Page"
strings:
$obf_str1 = "emailcheck"
$obf_str2 = "ccturnhtml"
$obf_str3 = "ccelehtml"
$obf_str4 = "cchtml"
$obf_str5 = "bchtml"
$obf_str6 = "atob"
$obf_str7 = "String.fromCharCode"
$obf_str8 = "document.write"
$plain_str1 = /language= \" Javascript \" /
$plain_str2 = /src= \" http.{2,99} \/ myscr\d{4,6} \. js \" /
condition:
(all of ($obf_str*)) or (all of ($plain_str*) and filesize < 250)
} |
| Details |
Yara rule |
1 |
|
rule Discord_Attachment_Suspicious_Activity {
meta:
description = "Detects potentially malicious activity involving Discord attachments, including executables and encoded URLs."
author = "Modified by Andy Giron Datadog"
original_authors = "Florian Roth (Nextron Systems)"
date = "12/01/23"
strings:
$discord_url = "https://cdn.discordapp.com/attachments/" ascii wide
$string_base64 = "Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz" ascii wide
$string_hex = "63646E2E646973636F72646170702E636F6D2F6174746163686F6E7473" ascii wide
$reversed_str = "stnemhcatta/moc.ppadrocsid.ndc" ascii wide
condition:
filesize < 5000KB and (1 of them)
} |
| Details |
Yara rule |
1 |
|
rule Telegram_URL_Encodings {
meta:
description = "Detects various encoded forms of Telegram URLs, indicative of potential malicious activity."
author = "Andy Giron Datadog"
date = "12/01/23"
strings:
$telegram_url = "https://api.telegram.org/" ascii wide
$string_base64 = "YXBpLnRlbGVncmFtLm9yZwo=" ascii wide
$string_hex = "6170692E74656C656772616D2E6F72672F" ascii wide
$reversed_str = "moc.margelet.ipa" ascii wide
condition:
1 of them
} |
| Details |
Yara rule |
1 |
|
rule Discord_URL_Encodings {
meta:
description = "Detects various encoded forms of Discord URLs, indicative of potential malicious activity."
author = "Andy Giron Datadog"
reference = "12/01/23"
date = "12/01/23"
strings:
$discord_url = "https://discord.com/" ascii wide
$string_base64 = "aHR0cHM6Ly9kaXNjb3JkLmNvbS8=" ascii wide
$string_hex = "68747470733a2f2f646973636f72642e636f6d2f" ascii wide
$reversed_str = "moc.drocsid//:sptth" ascii wide
condition:
1 of them
} |
| Details |
Yara rule |
1 |
|
rule HijackLoader {
meta:
author = "Yoroi Malware ZLab"
description = "Rule for IDAT Loader inital sample"
last_updated = "2023-11-27"
tlp = "WHITE"
category = "informational"
strings:
$1 = { 89 4D F4 C7 45 F8 00 00 00 00 C7 45 F? 00 00 00 00 8B 45 F? 8B 4D F4 0F B7 14 41 85 D2 74 ?? 8B 45 FC 8B 4D F4 0F B7 14 41 03 55 F8 89 55 F8 8B 45 FC 83 C0 01 89 45 FC }
$2 = { C7 45 FC 00 00 00 00 C7 45 F? 00 00 00 00 8B 45 F? 8D 14 00 8B 45 08 01 D0 0F B7 00 66 85 C0 74 ?? 8B 45 F8 8D 14 00 8B 45 08 01 D0 0F B7 00 0F B7 C0 01 45 FC 83 45 F8 01 }
condition:
any of them and uint16(0) == 0x5A4D
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule MAL_DonutLoader_DonotAPT {
meta:
author = "Asuna Amawaka"
description = "This rule hopes to capture parents of DonutLoader as well as DonutLoader binaries"
date = "30 Nov 2020"
strings:
$filename1 = "wavs.bin" ascii wide nocase
$filename2 = "ogg.bin" ascii wide nocase
$filename3 = "muka.dll" ascii wide nocase
$filename4 = "linknew.dll" ascii wide nocase
$filename5 = "kpryt.dll" ascii wide nocase
$filename6 = "cvent.dll" ascii wide nocase
$filename7 = "trui19o2.dll" ascii wide nocase
$filename8 = "lioj86.dll" ascii wide nocase
$filename9 = "fuitel.dll" ascii wide nocase
$filename10 = "dpur.dll" ascii wide nocase
$filename11 = "mecru.dll" ascii wide nocase
$filename12 = "eupol.dll" ascii wide nocase
$filename13 = "mentn.dll" ascii wide nocase
$filename14 = "made.dll" ascii wide nocase
$filename15 = "notr.dll" ascii wide nocase
$filename16 = "vetu.dll" ascii wide nocase
$filename17 = "detr.dll" ascii wide nocase
$filename18 = "bese.dll" ascii wide nocase
$filename19 = "NumberAlgo.dll" ascii wide nocase
$filename20 = "JacaPM.dll" ascii wide nocase
$filename21 = "maroork.dll" ascii wide nocase
$filename22 = "fli0.dll" ascii wide nocase
$filename23 = "nuityr.dll" ascii wide nocase
$filename24 = "jgasf.dll" ascii wide nocase
$filename25 = "tuyrt.dll" ascii wide nocase
$filename26 = "lefbu.dll" ascii wide nocase
$filename27 = "pult.dll" ascii wide nocase
$filename28 = "quep.dll" ascii wide nocase
$filename29 = "nmwell.dll" ascii wide nocase
$filename30 = "yello.dll" ascii wide nocase
$filename31 = "lokr.js" ascii wide nocase
$filename32 = "falin.js" ascii wide nocase
$filename33 = "obile.js" ascii wide nocase
$filename34 = "vqiw.js" ascii wide nocase
$filename35 = "gb.bat" ascii wide nocase
$filename36 = "iksm.bat" ascii wide nocase
$filename37 = "trrt.bat" ascii wide nocase
$filename38 = "blo.bat" ascii wide nocase
$filename39 = "SystemService.exe" ascii wide nocase
$path1 = "C:\\Users\\Dev\\Desktop\\07082020_8570_S\\" ascii wide nocase
$path1_wild = { 5C 55 73 65 72 73 5C 44 65 76 5C 44 65 73 6B 74 6F 70 5C [8] 5F [4] 5F 53 5C }
$path2 = "AppData\\Roaming\\EvMGR" ascii wide nocase
$path3 = "C:\\Users\\Dev\\Desktop\\Macro_Xls_1704_S" ascii wide nocase
$path3_wild = { 5C 55 73 65 72 73 5C 44 65 76 5C 44 65 73 6B 74 6F 70 5C 4D 61 63 72 6F 5F 58 6C 73 5F [4] 5F 53 }
$path4 = "C:\\Users\\Dev\\Desktop\\01052020_MacroXlsEmb_S" ascii wide nocase
$path4_wild = { 5C 55 73 65 72 73 5C 44 65 76 5C 44 65 73 6B 74 6F 70 5C [8] 5F 4D 61 63 72 6F 58 6C 73 45 6D 62 5F 53 }
$str1 = "MJuego" ascii wide nocase
$str2 = "0007E9E4CE4D" ascii wide nocase
$str3 = "Bensun" ascii wide nocase
$str4 = "Menner" ascii wide nocase
$pdbpath1 = "Soft\\DevelopedCode_Last\\BitDefenderTest\\m0\\New_Single_File\\Lo2\\SingleV2\\Release\\BinWork.pdb" ascii wide nocase
$pdbpath1_wild = { 5C 53 6F 66 74 5C 44 65 76 65 6C 6F 70 65 64 43 6F 64 65 5F 4C 61 73 74 5C 42 69 74 44 65 66 65 6E 64 65 72 54 65 73 74 }
$pdbpath2 = "Users\\admin\\Documents\\dll\\linknew\\Release\\linknew.pdb" ascii wide nocase
condition:
uint16(0) == 0x5a4d and filesize < 600KB and ((1 of ($filename*)) or (any of ($path*, $str*, $pdbpath*)) or pe.exports("zenu") or pe.exports("flis") or pe.exports("jrgbeg") or pe.exports("csytu") or pe.exports("neeu") or pe.exports("vile"))
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule lazarus_dtrack {
meta:
description = "lazarus - dtrack on nuclear implant KKNPP"
date = "2019-11-02"
hash1 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364"
strings:
$x1 = "move /y %s \\\\10.38.1.35\\C$\\Windows\\Temp\\MpLogs\\" ascii fullword
$x2 = "Execute_%s.log" ascii fullword
$x3 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii fullword
$s4 = "CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \"%s\"" ascii fullword
$s5 = "%s\\%s\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" ascii fullword
$s6 = "Usage: .system COMMAND" ascii fullword
$s7 = "Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?" ascii fullword
$s8 = "CCS_shell32.dll" ascii fullword
$s9 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" ascii fullword
$s10 = "%s:%d: expected %d columns but found %d - extras ignored" ascii fullword
$s11 = "%s\\%s\\AppData\\Application Data\\Mozilla\\Firefox\\Profiles" ascii fullword
$s12 = "net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator" ascii fullword
$s13 = "VALUES(0,'memo','Missing SELFTEST table - default checks only',''), (1,'run','PRAGMA integrity_check','ok')" ascii fullword
$s14 = "CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" ascii fullword
$s15 = "Usage %s sub-command ?switches...?" ascii fullword
$s16 = "Usage: .log FILENAME" ascii fullword
$s17 = "Content-Disposition: form-data; name=\"result\"; filename=\"%s.bmp\"" ascii fullword
$s18 = "%z%sSELECT pti.name FROM \"%w\".sqlite_master AS sm JOIN pragma_table_info(sm.name,%Q) AS pti WHERE sm.type='table'" ascii fullword
$s19 = "CCS_kernel32.dll" ascii fullword
$s20 = "CCS_Advapi32.dll" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (pe.imphash() == "75171549224b4292974d6ee3cf397db8" or (1 of ($x*) or 4 of them))
} |
| Details |
Yara rule |
1 |
|
rule BLACKMOON_BANKER {
meta:
author = "Proofpoint Staff"
info = "blackmoon update"
strings:
$s1 = "BlackMoon RunTime Error:" ascii wide nocase
$s2 = "\\system32\\rundll32.exe" ascii wide
$s3 = "cmd.exe /c ipconfig /flushdns" ascii wide
$s4 = "\\system32\\drivers\\etc\\hosts.ics" ascii wide
condition:
all of them
} |
| Details |
Yara rule |
2 |
|
rule CISA_10445155_01 : TRUEBOT downloader {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10445155"
Date = "2023-05-17"
Last_Modified = "20230523_1500"
Actor = "n/a"
Family = "TRUEBOT"
Capabilities = "n/a"
Malware_Type = "downloader"
Tool_Type = "n/a"
Description = "Detects TRUEBOT downloader samples"
SHA256 = "7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7"
strings:
$s1 = { 64 72 65 6D 6D 66 79 74 74 72 72 65 64 2E 63 6F 6D }
$s2 = { 4E 73 75 32 4F 64 69 77 6F 64 4F 73 32 }
$s3 = { 59 69 50 75 6D 79 62 6F 73 61 57 69 57 65 78 79 }
$s4 = { 72 65 70 6F 74 73 5F 65 72 72 6F 72 2E 74 78 74 }
$s5 = { 4C 6B 6A 64 73 6C 66 6A 33 32 6F 69 6A 72 66 65 77 67 77 2E 6D 70 34 }
$s6 = { 54 00 72 00 69 00 67 00 67 00 65 00 72 00 31 00 32 }
$s7 = { 54 00 55 00 72 00 66 00 57 00 65 00 73 00 54 00 69 00 66 00 73 00 66 }
condition:
5 of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule glupteba_dropper {
meta:
author = "Cybereason"
date = "2019/08"
name = "Glupteba dropper PE"
hash = "2691031A8BA0574FC541225CAAE7779FC3EFC332"
strings:
$pdb = /([A-Za-z]):\\[a-z]{4}[0-9]{2}-[a-z]{16}[0-9]{2}\\\w+-\w+_\w+\.pdb/ ascii fullword
$pdb_generic = ".pdb"
condition:
((filesize > 5000KB and pe.number_of_sections > 4 and pe.number_of_resources > 7) and any of them) or ($pdb)
} |
| Details |
Yara rule |
1 |
|
rule skeleton_key_patcher {
strings:
$target_process = "lsass.exe" wide
$dll1 = "cryptdll.dll"
$dll2 = "samsrv.dll"
$name = "HookDC.dll"
$patched1 = "CDLocateCSystem"
$patched2 = "SamIRetrievePrimaryCredentials"
$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule BAT_Ransomware_Downloader {
meta:
author = "Cyble Research and Intelligence Labs"
description = "Detects BAT file downloading imitator of NoEscape ransomware from SMB Share"
date = "2023-09-01"
os = "Windows"
strings:
$a1 = "SMBPath" ascii nocase
$a2 = "\\207.38.198.187"
$a4 = "combined.ps1" ascii nocase
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule skeleton_key_injected_code {
strings:
$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
$patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule maze_caro {
condition:
new_file and signatures matches /.*Ransom.*Maze.*/
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule blackmatter_ransomware : blackmatter ransomware {
meta:
date = "2021-09-20"
name = "BlackMatter - RANSOMWARE"
author = "Nozomi Networks Labs"
description = "Generic detection for BlackMatter ransomware"
actor = "BlackMatter"
x_threat_name = "BlackMatter ransomware"
x_mitre_technique = "T1486"
hash1 = "706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d"
hash2 = "9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a"
hash3 = "b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a"
hash4 = "2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd"
hash5 = "f7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884"
hash6 = "8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539"
hash7 = "e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d"
nn_ts = "1632088800.0"
nn_sig = "f7c69f3b527ffb3f0c2aa613e902d8d4f0e39966048bb6cfa57556115fa18ed9"
nn_id = "92f90d15-9392-4076-96b5-1e42ac9874c5"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3c)) == 0x00004550 and filesize < 100KB and pe.imphash() == "2e4ae81fc349a1616df79a6f5499743f"
} |
| Details |
Yara rule |
1 |
|
rule mal_PS_downloader {
meta:
author = "Cyble"
description = "Detects Powershell downloader Files"
date = "2023-08-25"
os = "Windows"
threat_name = "Powershell downloader"
scan_type = "Memory"
severity = 90
reference_sample = "6f8e8ab842590c2c1d7b873ee0cea9940a99de6f9de5b5df7a46fa76c002e396"
strings:
$a = "$imageUrl" ascii wide
$b = ".jpg?" ascii wide
$c = ".DownloadData(" ascii wide
$d = "<<BASE64_START>>" ascii wide
$e = "[System.Reflection.Assembly]::Load" ascii wide
$f = "//:ptth" ascii wide
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Ransomware_WannaHusky {
meta:
created = "2023-04-15"
last_updated = "2023-04-15"
author = "PMAT"
descritption = "Yara rule for Ransomware_WannaHusky, a bonus binary in the PMAT course."
hash = "3D35CEBCF40705C23124FDC4656A7F400A316B8E96F1F9E0C187E82A9D17DCA3"
strings:
$ransom_note_image = "@Desktop\\WANNAHUSKY.png"
$ps_script = "@Desktop\\ps1.ps1"
$target_file = "@Desktop\\target\\cosmo.WANNAHUSKY"
$PE_magic_byte = "MZ"
condition:
$PE_magic_byte at 0 and ($ransom_note_image and $ps_script and $target_file)
} |
| Details |
Yara rule |
1 |
|
rule linux_Babuk_ransomware {
meta:
author = "Marc Salinas @ CheckPoint Research"
description = "Detects samples of the Linux ransomware family Babuk"
malware_family = "Babuk"
date = "09/08/2023"
hash1 = "b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c"
hash1 = "d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c"
strings:
$str1 = "Statistic:"
$str2 = "Encrypted files: %d"
$str3 = "Usage: %s /path/to/be/encrypted"
$bablock1 = ".x1x2x3"
$bablock2 = "/_r_e_a_d_m_e.txt"
$cylance1 = ".Cylance"
$cylance2 = "CYLANCE_README.txt"
$orig1 = "How To Restore Your Files.txt"
$orig2 = ".babyk"
condition:
uint32(0) == 0x464c457f and (all of ($str*) or all of ($cylance*) or all of ($bablock*) or all of ($orig*))
} |
| Details |
Yara rule |
1 |
|
rule linux_ESXi_ransomware {
meta:
author = "Marc Salinas @ CheckPoint Research"
description = "Detects samples of the Linux ransomware family ESXi"
malware_family = "ESXi"
date = "09/08/2023"
hash1 = "11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66"
strings:
$usage = "usage: encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>] [<file_size>]"
$coms1 = "init_libssl returned %d\n"
$coms2 = "encrypt_file"
$coms3 = "encrypt_simple"
$coms4 = "lseek [start]"
$cde1 = { 48 8B 85 80 FD FF FF 48 01 85 50 FF FF FF 48 8B 8D 38 FF FF FF C7 85 28 FD FF FF 67 66 66 66 C7 85 2C FD FF FF 66 66 66 66 48 8B 85 28 FD FF FF 48 F7 E9 48 C1 FA 02 48 89 C8 48 C1 F8 3F 48 89 D3 48 29 C3 48 89 9D 40 FD FF FF 48 8B 85 40 FD FF FF 48 C1 E0 02 48 03 85 40 FD FF FF 48 01 C0 48 89 CA 48 29 C2 48 89 95 40 FD FF FF 48 83 BD 40 FD FF FF 00 }
$cde2 = { 48 8B 85 30 FD FF FF 48 D1 E8 48 8B 95 30 FD FF FF 83 E2 01 48 09 D0 F2 48 0F 2A C0 66 0F 28 C8 F2 0F 58 C8 F2 0F 11 8D 48 FD FF FF }
$cde3 = { F2 0F 10 05 15 6F 00 00 F2 0F 59 85 48 FD FF FF F2 0F 11 85 28 FF FF FF 48 8B 85 48 FF FF FF 48 89 85 50 FD FF FF 48 83 BD 50 FD FF FF 00 }
condition:
uint32(0) == 0x464c457f and ($usage or 3 of ($coms*) or 1 of ($cde*))
} |
| Details |
Yara rule |
1 |
|
rule linux_Monti_ransomware {
meta:
author = "Marc Salinas @ CheckPoint Research"
description = "Detects samples of the Linux ransomware family Monti"
malware_family = "Monti"
date = "09/08/2023"
hash1 = "edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1"
strings:
$str1 = "Total encrypted: %s\n"
$str2 = "Encrypting %s\n"
$str3 = "Cannot rename file %s\n"
$str4 = "fork() error."
$cde = { 55 48 89 E5 48 83 EC 50 48 89 7D B8 48 89 75 B0 48 C7 45 C0 7F 44 4E 00 48 C7 45 C8 81 44 4E 00 48 C7 45 D0 84 44 4E 00 48 C7 45 D8 87 44 4E 00 48 C7 45 E0 8A 44 4E 00 C6 45 F3 05 C7 45 F4 00 00 00 00 48 8B 45 B8 48 85 C0 }
condition:
uint32(0) == 0x464c457f and ($cde or all of ($str*))
} |